From 9e9c187bf3f14abe88297139f7e6aeb386106b5c Mon Sep 17 00:00:00 2001 From: Feross Aboukhadijeh Date: Mon, 30 May 2016 00:56:47 -0700 Subject: [PATCH] Use safe-buffer Use the new Buffer APIs from Node v6 for added security. For example, `Buffer.from()` will throw if passed a number, unlike `Buffer()` which allocated UNINITIALIZED memory in that case. Use the `safe-buffer` package for compatibility with previous versions of Node.js, including v4.x, v0.12, and v0.10. https://github.com/feross/safe-buffer --- index.js | 10 +++++----- package.json | 1 + test/fetch.js | 4 ++-- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/index.js b/index.js index 0ef6291..d145a35 100644 --- a/index.js +++ b/index.js @@ -46,9 +46,10 @@ module.exports = function (metadata) { if (!handshake.metadata_size) { return this.emit('warning', new Error('Peer does not have metadata')) } - - if (handshake.metadata_size > MAX_METADATA_SIZE) { - return this.emit('warning', new Error('Peer gave maliciously large metadata size')) + if (typeof handshake.metadata_size !== 'number' || + MAX_METADATA_SIZE < handshake.metadata_size || + handshake.metadata_size <= 0) { + return this.emit('warning', new Error('Peer gave invalid metadata size')) } this._metadataSize = handshake.metadata_size @@ -200,8 +201,7 @@ module.exports = function (metadata) { } utMetadata.prototype._requestPieces = function () { - this.metadata = new Buffer(this._metadataSize) - + this.metadata = Buffer.alloc(this._metadataSize) for (var piece = 0; piece < this._numPieces; piece++) { this._request(piece) } diff --git a/package.json b/package.json index 9089ba4..58cb79d 100644 --- a/package.json +++ b/package.json @@ -15,6 +15,7 @@ "bitfield": "^1.0.1", "debug": "^2.2.0", "inherits": "^2.0.1", + "safe-buffer": "^5.0.1", "simple-sha1": "^2.0.0" }, "devDependencies": { diff --git a/test/fetch.js b/test/fetch.js index 8ac95cf..302a9a3 100644 --- a/test/fetch.js +++ b/test/fetch.js @@ -4,8 +4,8 @@ var Protocol = require('bittorrent-protocol') var test = require('tape') var utMetadata = require('../') -var id1 = new Buffer('01234567890123456789') -var id2 = new Buffer('12345678901234567890') +var id1 = Buffer.from('01234567890123456789') +var id2 = Buffer.from('12345678901234567890') test('fetch()', function (t) { t.plan(3)